Unsigned Java applets hit by security update

Next weeks update will warn users when running unsigned code: Oracle recommends shelling out for a certificate.

Oracle are pushing Java
applet developers to sign
their code ahead of next week’s security update. Java SE 7
Update 21, due April 16, will alert users if they attempt to run
unsigned code in the browser.

The move comes as the latest attempt to protect end
users from rampant zero-day exploits, which, though unsigned,
often manage to break out of their sandbox. With an army of
malware writers finding new holes in Java every week, Oracle has
turned to imposing increasingly stringent security measures.

An Internet Explorer-style security scale was
introduced to the Java
Control Panel at the end of last year, and later set to ‘High’
by default. Update 21 will take this a step further by warning
users if they attempt to run a non-signed Java applet.

According to an
Oracle FAQ, the exact warning shown to the user will depend on
a range of factors, such as which privileges the code requests and
whether it is above or below the security baseline.

In addition, next week’s update will remove the “low”
and “custom” security options from the control panel.

The documentation stresses that while none of these
changes should break existing applets, “future update releases may
include additional changes to restrict unsafe behaviors like
unsigned and self-signed applications”.

Certificates must be purchased from “Trusted
Certificate Authorities”, and are only valid for a certain period.
Self-signing is recommended only for “developer and intranet
applications as it also requires managing the keystore for
Java”.

There are plenty of certificate-signing authorities,
usually starting at around $100 per year, and generating your own
self-signed certificate is relatively easy to do
using the JDK’s builtin keytool.

However, it remains to be seen whether this change will
genuinely protect the number of zero-day exploits emerging – or
merely inconvenience developers.